Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-11279 | 1 Cloudfoundry | 1 Uaa Release | 2024-09-17 | 8.8 High |
| CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls. | ||||
| CVE-2020-28443 | 1 Sonar-wrapper Project | 1 Sonar-wrapper | 2024-09-17 | 9.8 Critical |
| This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. | ||||
| CVE-2019-3920 | 1 Nokia | 2 I-240w-q Gpon Ont, I-240w-q Gpon Ont Firmware | 2024-09-17 | 8.8 High |
| The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to authenticated command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/device_Form?script/. | ||||
| CVE-2018-19950 | 1 Qnap | 2 Music Station, Qts | 2024-09-17 | 9.8 Critical |
| If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. | ||||
| CVE-2018-3772 | 1 Whereis Project | 1 Whereis | 2024-09-17 | N/A |
| Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead. | ||||
| CVE-2017-2833 | 1 Foscam | 2 C1, C1 Firmware | 2024-09-17 | 7.5 High |
| An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters resulting in command injection during the boot process. To trigger this vulnerability, an attacker needs to send an HTTP request and reboot the device. | ||||
| CVE-2021-31357 | 1 Juniper | 1 Junos Os Evolved | 2024-09-17 | 7.8 High |
| A command injection vulnerability in tcpdump command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. The vulnerability allows an attacker to bypass command authorization restrictions assigned to their specific user account and execute commands that are available to the privilege level for which the user is assigned. For example, a user that is in the super-user login class, but restricted to executing specific CLI commands could exploit the vulnerability to execute any other command available to an unrestricted admin user. This vulnerability does not increase the privilege level of the user, but rather bypasses any CLI command restrictions by allowing full access to the shell. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.3R2-S1-EVO; 20.4 versions prior to 20.4R2-S2-EVO; 21.1 versions prior to 21.1R2-EVO; 21.2 versions prior to 21.2R1-S1-EVO, 21.2R2-EVO. | ||||
| CVE-2017-16100 | 1 Dns-sync Project | 1 Dns-sync | 2024-09-17 | N/A |
| dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible. | ||||
| CVE-2021-23326 | 1 The-guild | 1 Graphql-tools | 2024-09-17 | 6.3 Medium |
| This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. | ||||
| CVE-2020-8101 | 1 Adt | 2 Lifeshield Diy Hd Video Doorbell, Lifeshield Diy Hd Video Doorbell Firmware | 2024-09-17 | 6.9 Medium |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in HTTP interface of ADT LifeShield DIY HD Video Doorbell allows an attacker on the same network to execute commands on the device. This issue affects: ADT LifeShield DIY HD Video Doorbell version 1.0.02R09 and prior versions. | ||||
| CVE-2017-8193 | 1 Huawei | 1 Fusionsphere Openstack | 2024-09-17 | N/A |
| The FusionSphere OpenStack V100R006C00SPC102(NFV) has a command injection vulnerability. Due to the insufficient input validation on one port, an authenticated, local attacker may exploit the vulnerability to gain root privileges by sending message with malicious commands. | ||||
| CVE-2022-0902 | 1 Abb | 14 Rmc-100, Rmc-100-lite, Rmc-100-lite Firmware and 11 more | 2024-09-17 | 8.1 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node. | ||||
| CVE-2020-7697 | 1 Mock2easy Project | 1 Mock2easy | 2024-09-17 | 9.8 Critical |
| This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); }, '', _data.interfaceUrl, query, _data.cookie,_data.interfaceType); | ||||
| CVE-2017-14593 | 1 Atlassian | 1 Sourcetree | 2024-09-17 | N/A |
| Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability | ||||
| CVE-2021-27449 | 1 Mesalabs | 1 Amegaview | 2024-09-17 | 9.9 Critical |
| Mesa Labs AmegaView Versions 3.0 and prior has a command injection vulnerability that can be exploited to execute commands in the web server. | ||||
| CVE-2022-21941 | 1 Johnsoncontrols | 2 Istar Ultra, Istar Ultra Firmware | 2024-09-17 | 10 Critical |
| All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. | ||||
| CVE-2022-26085 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-09-17 | 8.8 High |
| An OS command injection vulnerability exists in the httpd wlscan_ASP functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | ||||
| CVE-2019-1782 | 1 Cisco | 97 Firepower 4110, Firepower 4120, Firepower 4140 and 94 more | 2024-09-17 | 6.7 Medium |
| A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need administrator credentials to exploit this vulnerability. | ||||
| CVE-2016-10312 | 1 Jensenofscandinavia | 6 Al3g, Al3g Firmware, Al5000ac and 3 more | 2024-09-17 | N/A |
| Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages. | ||||
| CVE-2018-0454 | 1 Cisco | 2 Cloud Services Platform 2100, Cloud Services Platform 2100 Firmware | 2024-09-17 | N/A |
| A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to perform command injection. The vulnerability is due to insufficient input validation of command input. An attacker could exploit this vulnerability by sending customized commands to the web-based management interface. | ||||